feat(core): allow validation plugins to create new files in cloud assembly#38007
Open
kaizencc wants to merge 3 commits into
Open
feat(core): allow validation plugins to create new files in cloud assembly#38007kaizencc wants to merge 3 commits into
kaizencc wants to merge 3 commits into
Conversation
…embly Previously, the integrity check fingerprinted the entire outdir and rejected any change at all. This prevented plugins from writing output files (e.g. validation reports, SARIF files) to the assembly directory. The check now snapshots only pre-existing file hashes before plugins run. Modifications or deletions of pre-existing files are still caught, but new files created by plugins are permitted.
Contributor
|
PRs without a linked issue will receive lower priority for review and merging. Please update the description to follow the PR template and include a line like |
aws-cdk-automation
previously requested changes
May 26, 2026
rix0rrr
approved these changes
May 27, 2026
kaizencc
added
pr-linter/exempt-readme
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
outdirto snapshotting only pre-existing file hashes before plugins run.FileSystem.fingerprintwith per-file SHA-256 hashes becausefingerprintcomputes a single hash over the entire directory tree, making it impossible to distinguish new files from modifications to existing ones.The plugin contract is updated from "plugins cannot modify the cloud assembly" to "plugins cannot modify or delete files that existed in the cloud assembly prior to plugin execution."
Test plan
plugin tries to modify a template— still throws (modification of pre-existing file)plugin that writes new files to assembly is allowed— creates a file, no error, file contents verifiedplugin that deletes pre-existing file is caught— deletion detected and throws